來拆一拆__libc_start_main

tags: Reverse

1. 從entry point(start)開始
   • start
     
     Image Not Showing Possible Reasons

     • The image file may be corrupted
     • The server hosting the image is unavailable
     • The image path is incorrect
     • The image format is not supported

     Learn More →
     1. 在剛開始執行時,會把參數以倒序+argc push到stack上
        ex. gdb> r aaa
        會依序push aaa, binary_path, 0x2(2個arg) (0x4009d0是entry pt)
        
        Image Not Showing Possible Reasons

        • The image file may be corrupted
        • The server hosting the image is unavailable
        • The image path is incorrect
        • The image format is not supported

        Learn More →
        
        因此第三行的pop rsi就相當於把stack頂的argc pop給rsi
        第四行的mov rdx, rsp相當於把binary_path傳給rdx
        第五行對rsp & 0xFF…F0是為了要確保stack是0x10對齊
2. __libc_start_main
   ​​​​int __libc_start_main(int (*main) (int, char **, char **), int argc, char ** ubp_av, void (*init) (void), void (*fini) (void), void (*rtld_fini) (void), void (*stack_end));
   

   參數有7個+1個多餘的,分別為
   

   Image Not Showing Possible Reasons

   • The image file may be corrupted
   • The server hosting the image is unavailable
   • The image path is incorrect
   • The image format is not supported

   Learn More →

   
   Note: 如果是x86,直接用stack傳所有參數(也要多一個唷)
   Note: 無論是x86或x64,都要從最後一個參數開始處理

   call __libc_start_main時的狀況
   
   Image Not Showing Possible Reasons

   • The image file may be corrupted
   • The server hosting the image is unavailable
   • The image path is incorrect
   • The image format is not supported

   Learn More →